How to setup OPENVPN Server on Debian Lenny
The following steps define how to setup OPENVPN Server side configuration on Debian Lenny, but do not forget that these steps are customized for the network scheme above. Therefore this documentation does not include default configurations at every stage.
1. Install Debian Lenny on your server. And be sure that you have two different nic available. Modify your network seetings on “/etc/network/interfaces”
#vim /etc/network/interfaces
iface eth0 inet static
address 1.1.1.1
netmask 255.255.255.0
gateway 1.1.1.2
iface eth1 inet static
address 192.168.1.3
netmask 255.255.255.0
2. Update and upgrade your debian o.s. with:
#apt-get update
#apt-get upgrade
3. Install “openvpn” package on debian repositorys with apt-get:
#apt-get install openvpn
4. If you do not have already, install “openssl” and “liblzo1″ with apt-get.
#apt-get install openssl
#apt-get install liblzo1
5. The default directory for easy-rsa certificates is “/usr/share/doc/openvpn/examples/easy-rsa/2.0/”. So we change theworking directory:
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/
6. Now we will create the certificate for CA
#. ./vars
#./clean-all
#./build-ca
7. Then we will create the certificate for server
#./build-key-server server
8. Then we will create the certificate for client
#./build-key client
9. We will build diffie hellman
#./build-dh
10. Now if you wonder about the place of keys which you already created just change your directory to /keys
#cd /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
#ls -al
ca.key ca.crt server.key server.csr server.crt client.key client.crt client.csr
11. Now we have the keys and certificates. So we will send them to our clients who want to connect OPENVPN Server. Just be sure that:
ca.key-> only,must be in CA Server
client.crt-> only,must be in Client
client.key-> only,must be in Client
server.crt-> only,must be in OPENVPN Server
server.key-> only,must be in OPENVPN Server
ca.crt-> must be in CA Server and all of the clients.
12. After you transfered the files above safely, you must modify your main configuration file on OPENVPN Server, which is “server.conf”.
#cd /usr/share/doc/openvpn/examples/sample-config-files/
#vim server.conf
port 1194 proto udp dev tun ca /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/ca.crt cert /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.crt key /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/server.key dh /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 192.168.1.0 255.255.255.0" push "redirect-gateway def1" push "dhcp-option DNS 192.168.1.1" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-status.log log /var/log/openvpn.log log-append /var/log/openvpn.log verb 3
13. After you typed the configuration above inside your “server.conf” file, copy it to “/etc/openvpn” directory
#cp server.conf /etc/openvpn/
14. Restart your server.
15. Now we have to make nat with iptables. Because i want to allow that openvpn clients to connect my inside local area network securely.
16. Install iptables:
#apt-get install iptables
17. Typing
#sudo iptables -L
lists your current rules in iptables. Because of you have just set up your server, you will have no rules, and you should see
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
18. Now we will type our rules and run iptables.
#vim /etc/iptables.test.rules
*natREROUTING ACCEPT [381:35017]
19. We will activate the rules:
#iptables-restore < /etc/iptables.test.rules
20. We will check the rules now with
#iptables -L
21. Now we will save the configuration to the main iptables file.
#iptables-save > /etc/iptables.up.rules
22. Now we create a new file, because we want to start these rules automatically when the server restart:
#vim /etc/network/if-pre-up.d/iptables
#!/bin/bash /sbin/iptables-restore < /etc/iptables-up.rules
23. Make this file executable:
#chmod +x /etc/network/if-pre-up.d/iptables
24. We activate packet forwarding.
#nano /etc/sysctl.conf
net.ipv4.ip_forward=1
25. We will make some modifications in /etc/network/interfaces, because we want to make routing on openvpn clients. I mean, they will be routed our co-located servers securely.
#vim /etc/network/interfaces . .. .... ...... up route add -net 3.3.3.3 netmask 255.255.255.255 gw 192.168.1.2 dev eth1 ........ ..... ... .
26. Restart the server.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
can you tell me how create new certificate for client after someday when add more user.
You can check the following link, about how to create new client certificates.
http://cihan.me/how-to-create-easy-rsa-key-for-non-existing-client-at-openvpn-server/
How can I remove pkcs12 client from server’s database?
Regards, Vlado
Cd to the easy-rsa directory as you did for key generation. Then type the below commands. And do not forget to change “client” with your client’s certificate name.
#. ./vars
#./revoke-full “client”